Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3

To: Salvatore Bonaccorso <carnil@debian.org>, Debian Bug Tracking System <submit@bugs.debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Mon, 2 Jan 2017 17:27:06 +0000 (UTC)
Message-id: <[🔎] 657499824.8479904.1483378026271@mail.yahoo.com>
Reply-to: Gianfranco Costamagna <locutusofborg@debian.org>, 849962@bugs.debian.org
In-reply-to: <20170102061943.hap5qu2mzteyajnj@eldamar.local>
References: <20170102061943.hap5qu2mzteyajnj@eldamar.local>

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

CVE-2016-10087 is not worth a DSA, Security Team asked for a point release update.

diff -Nru libpng-1.2.50/debian/changelog libpng-1.2.50/debian/changelog
--- libpng-1.2.50/debian/changelog      2016-01-07 20:39:14.000000000 +0100
+++ libpng-1.2.50/debian/changelog      2017-01-02 18:24:35.000000000 +0100
@@ -1,3 +1,10 @@
+libpng (1.2.50-2+deb8u3) jessie; urgency=medium
+
+  * debian/patches/CVE-2016-10087.patch:
+    - cherry-pick upstream fix for CVE-2016-10087
+
+ -- Gianfranco Costamagna <locutusofborg@debian.org>  Mon, 02 Jan 2017 18:21:33 +0100
+
libpng (1.2.50-2+deb8u2) jessie-security; urgency=high

* Non-maintainer upload by the Security Team.
diff -Nru libpng-1.2.50/debian/patches/CVE-2016-10087.patch libpng-1.2.50/debian/patches/CVE-2016-10087.patch
--- libpng-1.2.50/debian/patches/CVE-2016-10087.patch   1970-01-01 01:00:00.000000000 +0100
+++ libpng-1.2.50/debian/patches/CVE-2016-10087.patch   2017-01-02 18:23:04.000000000 +0100
@@ -0,0 +1,12 @@
+Description: Fix CVE 2016-10087
+Origin: https://sourceforge.net/p/libpng/code/ci/794a15fad6add4d636369d0b46f603a02995b2e2/
+--- a/png.c
++++ b/png.c
+@@ -387,6 +387,7 @@
+          png_free(png_ptr, info_ptr->text);
+          info_ptr->text = NULL;
+          info_ptr->num_text=0;
++         info_ptr->max_text=0;
+       }
+    }
+ #endif
diff -Nru libpng-1.2.50/debian/patches/series libpng-1.2.50/debian/patches/series
--- libpng-1.2.50/debian/patches/series 2016-01-07 20:39:14.000000000 +0100
+++ libpng-1.2.50/debian/patches/series 2017-01-02 18:21:33.000000000 +0100
@@ -8,3 +8,4 @@
CVE-2015-8472/0002-Use-unsigned-constants-in-buffer-length-com.patch
CVE-2015-8472/0003-Fixed-bug-recently-introduced-in-png_set_PL.patch
CVE-2015-8540.patch
+CVE-2016-10087.patch
(attached debdiff)




please ping if you want me to upload it


Il Lunedì 2 Gennaio 2017 7:19, Salvatore Bonaccorso <carnil@debian.org> ha scritto:
Hi Gianfranco,

libpng has one issue which is below the threshold for fixing it
in a DSA due to minor impact:

https://security-tracker.debian.org/tracker/CVE-2016-10087

There's still the possibility to fix this via a stable point update
[1], so I was wondering whether anything of that sort is planned by
you. The next point release is scheduled for the 14th of january[2].

Regards,
Salvatore

[1] https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable
[2] https://lists.debian.org/debian-release/2016/12/msg00412.html

Attachment: debdiff
Description: Binary data

Reply to:

Follow-Ups:
- Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#849962: marked as done (jessie-pu: package libpng/1.2.50-2+deb8u3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: embedding openssl source in sslcan
Next by Date: Processed: Re: Bug#849438: jessie-pu: package libfcgi-perl/0.77-1+deb8u1
Previous by thread: Bug#849218: transition: imagemagick
Next by thread: Bug#849962: jessie-pu: package libpng/1.2.50-2+deb8u3
Index(es):
- Date
- Thread